List of all Roles
The following are all the roles currently supported by Strata Cloud Manager:
| Role | UI Label | Description |
|---|---|---|
| adem_tier_1_support | ADEM Tier 1 Support | For use with the Prisma Access app. Read-only access to specific incident remediation workflows for only Prisma Access Autonomous Digital Experience Management (ADEM). No access to other Prisma Access services. No access to dashboards and Strata Logging Service (SLS) logs. Assign this role to third party helpdesk employees, tier 2 and 3 support, or administrators who only need ADEM access. |
| auditor | Auditor | Read-only access to functions related to all configurations, including subscriptions and licenses for the selected app. Includes access to view dashboards but cannot download, share, and schedule reports. Includes access to Strata Logging Service (SLS) logs. Assign this role to administrators who are tasked with examining the system for accuracy. |
| business_admin | Business Administrator | Read and write access to all subscription and license management for the selected app. Includes read-only access to other functions, such as access policies, service accounts, and tenant service group operations. No access to dashboards and Strata Logging Service (SLS) logs. Includes the ability to activate product licenses through email activation link. Assign this role to administrators who manage devices, licenses, and subscriptions. |
| data_security_admin | Data Security Administrator | Read and write access to all data security functions for the selected app. Includes access to Strata Logging Service (SLS) logs, dashboards, create custom dashboards, and download, share, and schedule reports. Includes read-only access to logs. This role includes a very small subset of privileges included in the Security Admin role. Assign this role to administrators who manage only decryption rule configurations. |
| deployment_admin | Deployment Administrator | This role provides access to functions related to deployments. In addition, this role provides read-only access to other functions. |
| dlp_incident_admin | DLP Incident Administrator | This role provides access to functions related to dlp incident and report. This role also provides read-only access to other functions, including but not limited to: data profile, data filtering profile, data pattern, EDM and OCR settings. |
| dlp_policy_admin | DLP Policy Administrator | This role provides access to functions related to dlp policy including but not limited to: data profile, data filtering profile, data pattern, EDM and OCR settings. |
| iam_admin | IAM Administrator | Read and write access to identity and authentication functions for the selected app. Includes read-only access to logs. No access to dashboards and Strata Logging Service (SLS) logs. Assign this role to administrators who manage users. |
| msp_iam_admin | Multitenant IAM Administrator | Read and write access to identity and authentication functions for all tenants in a multitenant hierarchy. Restricted to read-only access for logs. No access to dashboards and Strata Logging Service (SLS) logs. |
| msp_superuser | Multitenant Superuser | Read and write access to manage all apps, Strata Logging Service (SLS) logs, and services within the assigned level of nested hierarchy. Includes all permissions assigned to all roles, including Superuser. Includes access to dashboards, create custom dashboards, and download, share, and schedule reports. Includes the ability to activate product licenses through email activation link. Assign this role only to users or service accounts that require unrestricted access |
| mt_manage_user | Multitenant Manage User | This role provides access to functions related to multitenant management and other common resources. |
| mt_monitor_user | Multitenant Monitor User | This role provides access to functions related to multitenant monitoring and other common resources. |
| network_admin | Network Administrator | Read and write access to logs and network policy configurations for the selected app. Includes read-only access to other functions: alerts, license quotas, devices, and tenant service group operations. Includes access to dashboards, create custom dashboards, and download, share, and schedule reports. Assign this role to administrators who need to maintain authentication, certificates, and decryption rules. |
| project_admin | Project Admin | This role provides access to functions related to Dynamic Privilege Access |
| project_admin_push | Project Admin Push | This role provides access to push operations |
| seb_access_and_data_admin | PA Browser Access & Data Administrator | Prisma Access Browser (PAB) data & access administrator role provides read & write access to set and manage access & data policies, defining custom/private applications, handling end user requests related to policies and read-only permission to inventory aspects (users, devices, extensions) and to any visibility aspects (dashboards, enduser events) within the Prisma Access Browser management sections |
| seb_customization_admin | PA Browser Customization Administrator | Prisma Access Browser (PAB) customization administrator role provides read & write access to set and manage browser customization policies, and read-only permission to inventory aspects (users, devices, applications, extensions) and to any visibility aspects (dashboards, enduser events) within the Prisma Access Browser management sections. |
| seb_permission_request_admin | PA Browser Permission Request Administrator | Prisma Access Browser (PAB) permission request administrator role provides read & write access to handle end user requests related to policies and read-only permission to visibility aspects (dashboards, end user events) within the Prisma Access Browser management sections. |
| seb_security_admin | PA Browser Security Administrator | Prisma Access Browser (PAB) security administrator role provides read & write access to set and manage browser security policies, and read-only permission to inventory aspects (users, devices, applications, extensions) and to any visibility aspects (dashboards, enduser events) within the Prisma Access Browser management sections. |
| seb_security_and_posture_admin | PA Browser Security & Device Posture Administrator | Prisma Access Browser (PAB) security & posture administrator role provides read & write access to set and manage browser security policies, manage device posture groups and set sign-in rules. It also provides read-only permission to inventory aspects (users, applications, extensions) and to any visibility aspects (dashboards, enduser events) within the Prisma Access Browser management sections. |
| seb_view_only_analytics_admin | PA Browser View Only Analytics | Prisma Access Browser (PAB) view only analytics role provides read access to any visibility aspects within the Prisma Access Browser management sections, including dashboards, detailed end user events and inventory aspects (users, devices, applications and extensions). |
| security_admin | Security Administrator | This role provides access to functions related to security policy configuration. This role also provides read-only access to other functions, including but not limited to: alerts, license quotas, devices, and tenant service group operations. |
| soc_admin | SaaS SOC Administrator | This role allows the administrator to assess incidents and remediate risks in SaaS Security. This administrator cannot access SaaS Security API settings or modify policy rules. |
| soc_analyst | SOC Analyst | This role provides read-only access to functions related to logs, reports, events, alerts, and all configuration. Assign this role to users or service accounts that need to view and investigate threats and trends. |
| sspm_appowner_superuser | SaaS Posture Security Administrator | This role provides full SSPM functionality but only for the SaaS application(s) that the administrator onboards themselves. It is intended to give IT/SaaS administrators full SSPM read and write access to the SaaS apps they are responsible for. |
| superuser | Superuser | Read and write access to all available system-wide functions for the selected app. Includes all permissions assigned to all other roles, including MSP Superuser. Includes the ability to activate product licenses through email activation link. Assign this role only to users or service accounts that require unrestricted access. |
| tier_1_support | Tier 1 Support | Read and write access to remediation workflows that update network, security, and device configurations for the selected app. Includes read-only access for alerts, access policies, configurations, license quotas, devices, and tenant service group operations. Full access to view dashboards, create custom dashboards, download, share, and schedule reports, and Strata Logging Service (SLS) logs. |
| tier_2_support | Tier 2 Support | Read and write access to remediation workflows that update network, security, and device configurations for the selected app. Includes read-only access for alerts, access policies, configurations, license quotas, devices, and tenant service group operations. Full access to view dashboards, create custom dashboards, download, share, and schedule reports, and Strata Logging Service (SLS) logs. |
| view_only_admin | View Only Administrator | Read-only access to all available system-wide functions for the selected app and logs. Includes access to view dashboards, download, share, and schedule reports. |
| web_security_admin | Web Security Admin | This role provides access to functions related to web security. |